Difference between revisions of "Random number generation"

From Messaging Server Technical Reference Wiki
Jump to: navigation, search
(Bulk update)
m (Bulk update)
Line 15: Line 15:
Generation of CRAM/APOP challenges.
Generation of authentication nonce values.

Latest revision as of 16:25, 20 May 2020

Messaging Server uses the special device /dev/urandom for direct generation of random numbers on all platforms. The direct uses of random numbers include:

  • The recipe language's strongrandom function.
  • The strongrandom function provided for use in system-level sieves.
  • Generation of authentication nonce values.
  • Generation of initialization vectors when encrypting store message files
  • Generation of recall/tracking secrets for message tracking and recall
  • Generation of an internal key used for password obfuscation while preserving the ability to perform comparisons in the msconfig differences command.

Note: Random numbers needed for SSL/TLS operations are generated by the underlying cryptographic libraries.

Contrary to popular belief, /dev/urandom provides a high quality cryptographically secure random number source on all modern versions of Linux and Solaris. And with the possible exception of Solaris SPARC, the inclusion of entropy obtained from the HRNG provided by all recent Intel CPUs eliminates any "low entropy" conditions on startup.

For the one remaining case of Solaris SPARC, anyone concerned about a lack of entropy on startup can implement the following two procedures that preserve the entropy in the entropy pool across reboots:

  echo "Initializing random number generator..."
  # Load and then save some entropy from the pool
  if [ -f $random_seed ]; then
    cat $random_seed >/dev/urandom
    touch $random_seed
  chmod 600 $random_seed
  dd if=/dev/urandom of=$random_seed count=1 bs=512 

This first procedure should be run as root at system startup. The second procedure is:

  # Carry a random seed from shut-down to start-up
  # Save some entropy from the entropy pool
  echo "Saving random entropy..."
  touch $random_seed
  chmod 600 $random_seed
  dd if=/dev/urandom of=$random_seed count=1 bs=512

This second procedure should be run as root at system shutdown as well as periodically.

Finally, a Messaging Server-specific trick that can be used to provide more entropy when unified configuration is used is to hash the Messaging Server configuration file and use the result as a source of entropy. This can be done with a command of the general form:

openssl dgst -sha512 /var/opt/sun/comms/messaging64/config/config.xml >/dev/urandom

This provides significantly more entropy than expected because every the configuration generation utilities in Messaging Server tag each option value with a last modified time.